CN104104687A

CN104104687A - Safe login method and system

Info

Publication number: CN104104687A
Application number: CN201410362690.5A
Authority: CN
Inventors: 陆舟; 于华章
Original assignee: Feitian Technologies Co Ltd
Current assignee: Feitian Technologies Co Ltd
Priority date: 2014-07-28
Filing date: 2014-07-28
Publication date: 2014-10-15
Anticipated expiration: 2034-07-28
Also published as: CN104104687B

Abstract

The invention discloses a safe login method and system. The method includes that a client side sends a sensitive information issuing request to an authentication center; the authentication center searches for second sensitive information to generate a random number, first answer data and an answer message, and the answer message is sent to the client side; the client side obtains the first answer data and the second sensitive information, and the first answer data are sent to an authentication device; the authentication device obtains the second sensitive information and the random number, and the second sensitive information is returned to the client side; if the client side determines that the received second sensitive information is consistent with the second sensitive information which is obtained according to the answer message, the authentication device generates a first dynamic password according to a time factor, a preset algorithm and the random number, and the first dynamic password is sent to the authentication center through the client side; the authentication center generates a second dynamic password according to the random number, the time factor and the preset algorithm, whether the first dynamic password is consistent with the second dynamic password or not is determined, if the first dynamic password is consistent with the second dynamic password, the authentication succeeds, and otherwise, the authentication fails.

Description

A kind of method and system of secure log

Technical field

The present invention relates to information security field, relate in particular to a kind of method and system of secure log.

Background technology

Dynamic password, as one of identity identifying technology, is applied by increasing industry at present.Because it is easy to use, and platform-independent, development along with mobile Internet, the main flow of the identity identifying technology that dynamic password technology has become user while logining, be widely used in the fields such as enterprise, ecommerce, for generating dynamic password terminal, have hardware token, short message password and handset token at present.Although the existing identity identifying technology based on dynamic password is convenient and swift, in the process of transmission dynamic password, dynamic password is is easily intercepted and captured, is distorted by other people, therefore the existing login method poor stability based on dynamic password.

Summary of the invention

The object of the invention is, in order to overcome the deficiencies in the prior art, provides a kind of method and system of secure log, realizes secure log.

The method of a kind of secure log provided by the invention, is applied to comprise that in the system of client, authentication center and authenticating device, described method comprises:

Step S1: when described client detects after trigger message, described client is obtained authenticating device sequence number and the first sensitive information sign of described authenticating device, according to described authenticating device sequence number and described the first sensitive information sign generation sensitive information, issue request, to described authentication center, send described sensitive information and issue request;

Step S2: described authentication center issues described the first sensitive information sign in request according to described sensitive information, search the first corresponding sensitive information, and search the second sensitive information in described authentication center, generate random number, described random number and described sensitive information are issued to the described authenticating device sequence number corresponding stored in request, according to described the first sensitive information, described the second sensitive information and described random number generate the first reply data, according to described the first reply data and described the second sensitive information, generate response message, to described client, send described response message,

Step S3: described client, according to described response message, obtains the first reply data and the second sensitive information, and the first reply data obtaining is sent to described authenticating device;

Step S4: described authenticating device, according to the first reply data receiving, obtains the first sensitive information, the second sensitive information and random number, and the first sensitive information obtaining is shown;

Step S5: after described authenticating device detects button and is triggered, described authenticating device judges the type of described button, if the first button returns to described client the second sensitive information obtaining from described the first reply data, execution step S7, if the second button returns to error code to described client, execution step S6;

Step S6: the error code that described in described client, authenticating device sends, according to described error code, show login failure information, finish;

Step S7: whether the second sensitive information that described client judgement receives is consistent with the second sensitive information obtaining according to described response message, is to described authenticating device, to send login instruction, execution step S8, otherwise show login failure information, finish;

Step S8: described authenticating device is according to the time factor in described authenticating device, preset algorithm and the random number that obtains from the first reply data, generate the first dynamic password, to described client, send described the first dynamic password and described authenticating device sequence number;

Step S9: described client sends described the first dynamic password and described authenticating device sequence number to described authentication center;

Step S10: corresponding random number is searched according to described authenticating device sequence number by described authentication center, according to time factor and the preset algorithm in the random number finding, described authentication center, generate the second dynamic password, judge that whether described the first dynamic password is consistent with described the second dynamic password, to described client, to send authentication success message, finish, otherwise return to error code to described client, execution step S11;

Step S11: the error code that described in described client, authentication center sends, according to described error code, show login failure information, finish.

Described client is obtained authenticating device sequence number and the first sensitive information sign of described authenticating device, be specially: described client sends and obtains instruction to described authenticating device, receive authenticating device sequence number and the first sensitive information sign that described authenticating device returns.

Described client is obtained authenticating device sequence number and the first sensitive information sign of described authenticating device, be specially: the user profile of described client user input, identifies at authenticating device sequence number corresponding to described client internal searching and the first sensitive information according to described user profile.

Before described step S2, comprise:

Steps A 1: described authentication center issues request according to described sensitive information, judges that whether described authenticating device is legal, is to perform step S2, otherwise returns to error code to described client, execution step A2;

Steps A 2: the error code that described in described client, authentication center sends, according to described error code, show login failure information, finish.

Described steps A 1 is specially:

Described authentication center issues the described authenticating device sequence number in request according to described sensitive information, search state and the authenticating device PKI of corresponding authenticating device, if according to the state of the described authenticating device finding, judge described authenticating device can with and described authenticating device PKI while existing, perform step S2, otherwise to described client, return to error code, execution step A2.

Describedly according to described the first sensitive information, described the second sensitive information and described random number, generate the first reply data, be specially:

Described authentication center issues the described authenticating device sequence number in request according to described sensitive information, in described authentication center, search corresponding authenticating device PKI, described authentication center is to described the first sensitive information, described the second sensitive information and described random number splice and combine, obtain the first data, according to the described authenticating device PKI finding, described the first data are encrypted, obtain the first enciphered data, use authentication center's private key to sign to described the first enciphered data, obtain the first signature value, according to described the first enciphered data and described the first signature value, obtain described the first reply data,

Before described step S4, also comprise:

Step B1: described authenticating device, according to authentication center's PKI of storage, carries out sign test to the first reply data receiving, judges whether sign test success, is to perform step S4, otherwise returns to error code to described client, execution step B2;

Step B2: the error code that described in described client, authenticating device sends, according to described error code, show login failure information, finish;

Described authenticating device, according to the first reply data receiving, obtains the first sensitive information, the second sensitive information and random number, is specially:

Described authenticating device is decrypted the first enciphered data in the first reply data receiving according to authenticating device private key, obtains the first data, and the first data that obtain are split, and obtains the first sensitive information, the second sensitive information and random number.

Describedly according to described the first enciphered data and described the first signature value, obtain described the first reply data, be specially:

Described authentication center carries out base64 coding to described the first enciphered data, obtain the first character data, described the first signature value is carried out to base64 coding, obtain the second character data, described the first character data and described the second character data are carried out combined and spliced, generate described the first reply data;

Described authenticating device, according to authentication center's PKI of storage, carries out sign test to the first reply data receiving, and is specially:

Described authenticating device carries out base64 decoding to the first character data in the first reply data receiving, obtain the first enciphered data, the second character data in the first reply data is carried out to base64 decoding, obtain the first signature value, the first enciphered data that decoding obtains according to base64 and first is signed name-value pair the first reply data and is carried out sign test.

Described authentication center carries out combined and spliced to described the first enciphered data and described the first signature value, obtain the second data, and described the second data are carried out to base64 coding, obtains described the first reply data;

Described authenticating device carries out base64 decoding to the first reply data receiving, and obtains the second data, and the first enciphered data in the second data that decoding obtains according to base64 and first is signed name-value pair the first reply data and carried out sign test.

Described the first reply data is carried out to sign test, is specially:

Described authenticating device carries out computing according to authentication center's PKI to the first signature value, obtain first verification data, judging that whether the described first verification data that computing obtains is consistent with the first enciphered data that base64 decoding obtains, is to determine sign test success, otherwise determines sign test failure.

Described according to described the first reply data and described the second sensitive information generation response message, be specially:

Described authentication center carries out described the first reply data and described the second sensitive information combined and spliced, generates response message;

Described according to described response message, obtain the first reply data and the second sensitive information, be specially:

Described client splits described response message, obtains the first reply data and the second sensitive information.

Described step S3 also comprises: described client shows described the second sensitive information;

In described step S5, after described authenticating device detects described the first button and is triggered, also comprise: described authenticating device shows the second sensitive information obtaining from the first reply data.

In described step S7, before sending login instruction, described authenticating device also comprises:

Step C1: described client judges according to described authenticating device sequence number whether described authenticating device is bound with user, is to perform step C3, otherwise execution step C2;

Step C2: described in described Client-Prompt, user registers, receives the user profile that described user inputs, and according to the described user profile receiving, described user and described authenticating device is bound to execution step C3;

Step C3: described client sends described login instruction to described authenticating device.

Described client judges that according to described authenticating device sequence number whether described authenticating device is bound with user, is specially:

Described client judges whether can be in described client internal searching to the user profile corresponding with described authenticating device sequence number, be determine described authenticating device with described user's binding, otherwise determine described authenticating device with described user's binding.

The described user profile that described basis receives is bound described user and described authenticating device, is specially: described client, by the described user profile receiving and corresponding storage of described authenticating device sequence number, completes binding.

Client described in described step S7 also comprises after judging that described the second sensitive information receiving is consistent with described the second sensitive information obtaining according to described response message:

Described client is obtained the user profile corresponding with described authenticating device;

Before described step S9, comprise: described client judges that according to described user profile whether described user is legal, is to perform step S9, otherwise show login failure information, finish.

Described client judges that according to described user profile whether described user is legal, is specially:

Described client is searched corresponding User Status according to described user profile, judges that whether described User Status is abnormal, is to determine that described user is illegal, otherwise determines that described user is legal.

Before described step S8, also comprise:

Step D1: described authenticating device receives after described login instruction, whether prompting user logins;

Step D2: after described authenticating device detects button and is triggered, the type of described authenticating device judgement button, if the first button performs step S8, if the second button returns to error code to described client, execution step D3;

Step D3: the error code that described in described client, authenticating device sends, according to described error code, show login failure information, finish.

Described authenticating device, according to the time factor in described authenticating device, described preset algorithm and the random number that obtains from the first reply data, generates the first dynamic password, is specially:

Step e 1: described authenticating device is according to the time factor in described authenticating device, described preset algorithm and the random number that obtains from the first reply data, generates the first dynamic password expressly;

Step e 2: described authenticating device is encrypted described the first plaintext dynamic password according to authentication center's PKI, obtains the first ciphertext dynamic password;

Step e 3: described authenticating device is used authenticating device private key to sign to described the first ciphertext dynamic password, obtains the second signature value;

Step e 4: described authenticating device, according to described the first ciphertext dynamic password and described the second signature value, obtains described the first dynamic password;

Described step S10 is specially:

Step F 1: described authentication center carries out sign test according to described authenticating device PKI to described the first dynamic password receiving, judges whether sign test success, is to perform step F2, otherwise returns to error code to described client, execution step S11;

Step F 2: corresponding random number is searched according to described authenticating device sequence number by described authentication center, according to the time factor in described random number, described authentication center and preset algorithm, generate second plaintext dynamic password, according to authentication center's private key, the first ciphertext dynamic password in described the first dynamic password is decrypted, obtains the first plaintext dynamic password;

Step F 3: described authentication center judges that whether described the first plaintext dynamic password is consistent with described second plaintext dynamic password, is to send authentication success message to client, finishes, otherwise returns to error code to client, execution step S11.

Described authenticating device, according to described the first ciphertext dynamic password and described the second signature value, obtains described the first dynamic password, comprising:

Described authenticating device carries out base64 coding to described the first ciphertext dynamic password, obtain three-character doctrine data, described the second signature value is carried out to base64 coding, obtain the 4th character data, described three-character doctrine data and described the 4th character data are carried out combined and spliced, obtain described the first dynamic password;

Described authentication center carries out sign test according to described authenticating device PKI to described the first dynamic password, is specially:

Described authentication center splits described the first dynamic password, obtain three-character doctrine data and the 4th character data, the three-character doctrine data that obtain are carried out to base64 decoding, obtain the first ciphertext dynamic password, the 4th character data obtaining is carried out to base64 decoding, obtain the second signature value, according to authenticating device PKI the second signature value that decoding obtains to base64, carry out computing, obtain the second verification msg, judge that whether described the second verification msg that computing obtains is consistent with the first ciphertext dynamic password that base64 decoding obtains, to determine sign test success, otherwise determine sign test failure.

After described the first dynamic password that the judgement of described authentication center receives is consistent with described second dynamic password of generation, also comprise: remove described random number;

Before generating the second dynamic password in described step S10, comprise:

Described authentication center judges whether to find random number, is to continue, otherwise returns to error code to described client, execution step S11.

The system of a kind of secure log provided by the invention, described system comprises client, authentication center and authenticating device;

Described client comprises: first detection module, the first acquisition module, the first generation module, the first sending module, the first receiver module, the first processing module, the first display module and the first judge module;

Described first detection module, for detection of whether there being trigger message;

Described the first acquisition module, for detecting after trigger message when described first detection module, obtains authenticating device sequence number and the first sensitive information sign of described authenticating device;

Described the first generation module, issues request for described authenticating device sequence number and described the first sensitive information sign generation sensitive information getting according to described the first acquisition module;

Described the first sending module, issues request for send the described sensitive information of described the first generation module generation to described authentication center; To described authenticating device, send the first reply data that described the first processing module obtains; The second sensitive information that judges that the second sensitive information that described the first receiver module receives obtains with described the first processing module when described the first judge module when consistent, sends login instruction to described authenticating device; When described the first receiver module receives after first dynamic password and authenticating device sequence number of described authenticating device transmission, to described authentication center, send described the first dynamic password and described authenticating device sequence number;

Described the first receiver module, the response message sending for receiving described authentication center, receive the error code that described authenticating device sends, receive the second sensitive information that described authenticating device sends, receive the first dynamic password and authenticating device sequence number that described authenticating device sends, receive the authentication success message that described authentication center sends, receive the error code that described authentication center sends;

Described the first processing module, for the described response message receiving according to described the first receiver module, obtains the first reply data and the second sensitive information;

Described the first display module, for the error code receiving according to described the first receiver module, show login failure information, the second sensitive information that judges that the second sensitive information that described the first receiver module receives and described the first processing module obtain when described the first judge module when inconsistent, shows login failure information;

Described the first judge module, whether consistent with the second sensitive information that described the first processing module obtains for judging the second sensitive information that described the first receiver module receives;

Described authentication center comprises: the second receiver module, first is searched module, the second generation module, the 3rd generation module, the 4th generation module, the second sending module, second and searched module, the 5th generation module and the second judge module;

Described the second receiver module, issues request for receiving the described sensitive information of described client transmission, receives described the first dynamic password and described authenticating device sequence number that described client sends;

Described first searches module, issues the described first sensitive information sign of request for the described sensitive information receiving according to described the second receiver module, searches the first corresponding sensitive information, and searches the second sensitive information in described authentication center;

Described the second generation module, for generating random number, the described sensitive information that described random number and described the second receiver module are received issues the described authenticating device sequence number corresponding stored in request;

Described the 3rd generation module, for searching the described random number that described the first sensitive information that module searches arrives, described the second sensitive information and described the second generation module generate according to described first, generates the first reply data;

Described the 4th generation module, searches for described the first reply data and described first generating according to described the 3rd generation module described the second sensitive information that module searches arrives, and generates response message;

Described the second sending module, the described response message generating for send described the 4th generation module to described client, the second dynamic password that judges that described the first dynamic password that described the second receiver module receives generates with described the 5th generation module when described the second judge module is when consistent, to described client, send authentication success message, the second dynamic password that judges that described the first dynamic password that described the second receiver module receives and described the 5th generation module generate when described the second judge module when inconsistent, returns to error code to described client;

Described second searches module, for the described authenticating device sequence number receiving according to described the second receiver module, searches corresponding random number;

Described the 5th generation module, for according to described second search module searches to described random number, time factor and the preset algorithm of described authentication center, generate the second dynamic password;

Described the second judge module, whether consistent with described the second dynamic password that described the 5th generation module generates for judging described the first dynamic password that described the second receiver module receives;

Described authenticating device comprises: the 3rd receiver module, the second processing module, the second display module, the second detection module, the 3rd judge module, the 3rd sending module and the 6th generation module;

Described the 3rd receiver module, the first reply data sending for receiving described client, receives the described login instruction that described client sends;

Described the second processing module, described the first reply data for receiving according to described the 3rd receiver module, obtains the first sensitive information, the second sensitive information and random number;

Described the second display module, shows for described the first sensitive information that described the second processing module is obtained;

Whether described the second detection module, for when described the second display module shows the first sensitive information, detect button and be triggered;

Described the 3rd judge module, for after button being detected when described the second detection module and being triggered, judges the type of described button;

Described the 3rd sending module, the first dynamic password generating for send described the 6th generation module to described client, when described the 3rd judge module judges that described button is the first button, to described client, return to the second sensitive information that described the second processing module obtains, when described the 3rd judge module judges that described button is the second button, to described client, return to error code;

Described the 6th generation module, for receiving after described login instruction when described the 3rd receiver module, the random number obtaining according to the time factor in described authenticating device, preset algorithm and described the second processing module, generates the first dynamic password.

Described the first sending module is also for sending and obtain instruction to described authenticating device;

Authenticating device sequence number and the first sensitive information sign that described the first receiver module also returns for receiving described authenticating device.

Described the first receiver module is also for receiving the user profile of user's input;

The described user profile of described the first acquisition module specifically for receiving according to described the first receiver module, in authenticating device sequence number corresponding to described client internal searching and the first sensitive information sign.

Described authentication center also comprises: the 4th judge module, for the described sensitive information receiving according to described the second receiver module, issue request, and judge that whether described authenticating device is legal;

Described first searches module, also, for after judging that when described the 4th judge module described authenticating device is legal, carries out work;

Described the second sending module, also, for after judging that when described the 4th judge module described authenticating device is illegal, returns to error code to described client.

Described the 4th judge module issues the described authenticating device sequence number in request specifically for the described sensitive information receiving according to described the second receiver module, search state and the authenticating device PKI of corresponding authenticating device, if according to the state of the described authenticating device finding, judge that described authenticating device can be used and described authenticating device PKI exists, determine that described authenticating device is legal, otherwise determine that described authenticating device is illegal.

Described the 3rd generation module, comprising: first searches unit, the first assembled unit, the first ciphering unit, the first signature unit and the first processing unit;

Described first searches unit, for issue the described authenticating device sequence number of request according to described sensitive information, in described authentication center, searches corresponding authenticating device PKI;

Described the first assembled unit, for described the first sensitive information, described the second sensitive information and described random number are spliced and combined, obtains the first data;

Described the first ciphering unit, is encrypted described the first data for searching according to described first the described authenticating device PKI that unit finds, and obtains the first enciphered data;

Described the first signature unit, for using authentication center's private key to sign to described the first enciphered data, obtains the first signature value;

Described the first processing unit, for obtaining described the first reply data according to described the first enciphered data and described the first signature value;

Described authenticating device also comprises the first sign test module; Described the first sign test module, for according to authentication center's PKI of storage, the first reply data that described the 3rd receiver module is received carries out sign test, judges whether sign test success;

Described the second processing module also, for after described the first sign test module judgement sign test success, is carried out work;

Described the 3rd sending module also, for after described the first sign test module judgement sign test failure, returns to error code to described client;

Described the second processing module, specifically for the first enciphered data in the first reply data described the 3rd receiver module being received according to authenticating device private key, be decrypted, obtain the first data, the first data that obtain are split, obtain the first sensitive information, the second sensitive information and random number.

Described the first processing unit is specifically for carrying out base64 coding to described the first enciphered data, obtain the first character data, described the first enciphered data is carried out to base64 coding, obtain the second character data, described the first character data and described the second character data are carried out combined and spliced, generate described the first reply data;

Described the first sign test module is carried out base64 decoding specifically for the first character data in the first reply data that described the 3rd receiver module is received, obtain the first enciphered data, the second character data in the first reply data is carried out to base64 decoding, obtain the first signature value, the first enciphered data that decoding obtains according to base64 and first is signed name-value pair the first reply data and is carried out sign test.

Described the first processing unit is combined and spliced specifically for described the first enciphered data and described the first signature value are carried out, and obtains the second data, and described the second data are carried out to base64 coding, obtains described the first reply data;

Described the first sign test module is carried out base64 decoding specifically for the first reply data that described the 3rd receiver module is received, obtain the second data, the first enciphered data in the second data that decoding obtains according to base64 and first is signed name-value pair the first reply data and is carried out sign test.

Described the first sign test module, specifically for the first signature value being carried out to computing according to authentication center's PKI, obtain first verification data, judge that whether the described first verification data that computing obtains is consistent with the first enciphered data that base64 decoding obtains, be to determine sign test success, otherwise determine sign test failure.

Described the 4th generation module, combined and spliced specifically for described the first reply data and described the second sensitive information are carried out, generate response message;

Described the first processing module, specifically for described response message is split, obtains the first reply data and the second sensitive information.

Described the first display module is the second sensitive information for showing that described the first processing module processing obtains also;

Described the second display module is the second sensitive information for showing that described the second processing module obtains also.

Described client also comprises: the 5th judge module and Registering modules;

Described the 5th judge module, for the second sensitive information of judging at described the first judge module that the second sensitive information that described the first receiver module receives obtains with described the first processing module, when consistent, according to described authenticating device sequence number, judge whether described authenticating device is bound with user;

Described Registering modules, after judging that at described the 5th judge module described authenticating device is not bound with user, point out described user to register, receive the user profile of described user's input, according to the described user profile receiving, described user and described authenticating device are bound;

Described the first sending module, after completing specifically for described Registering modules work, to described authenticating device, send described login instruction, after described the 5th judge module judges that described authenticating device has been bound with user, to described authenticating device, send described login instruction.

Described the 5th judge module can arrive the user profile corresponding with described authenticating device sequence number in described client internal searching specifically for judging whether, be determine described authenticating device with described user binding, otherwise determine described authenticating device with described user's binding.

Described Registering modules, specifically for pointing out described user to register, receives the user profile of described user's input, by the described user profile receiving and corresponding storage of described authenticating device sequence number, completes binding.

Described client also comprises: the second acquisition module and the 6th judge module;

Described the second acquisition module, the second sensitive information that judges for described the first judge module that the second sensitive information that described the first receiver module receives obtains with described the first processing module when consistent, obtains the user profile corresponding with described authenticating device;

Described the 6th judge module, judges that for the described user profile getting according to described the second acquisition module whether described user is legal;

Described the first sending module also, for after judging that at described the 6th judge module described user is legal, sends described the first dynamic password and described authenticating device sequence number to described authentication center;

Described the first display module, also for after judging that at described the 6th judge module described user is illegal, shows login failure information.

Described the 6th judge module, specifically for searching corresponding User Status according to described user profile, judges that whether described User Status is abnormal, is to determine that described user is illegal, otherwise determines that described user is legal.

Described the second display module, also for receiving after described login instruction at described the 3rd receiver module, whether prompting user logins;

Whether whether described the second detection module, after also logining for described the second display module prompting user, detect button and be triggered;

Described the 3rd judge module, after also button being detected and be triggered for described the second detection module, the type of judgement button;

Described the 6th generation module carries out work after also judging the first button and be triggered for described the 3rd judge module;

Described the 3rd sending module returns to error code to described client after also judging the second button and be triggered for described the 3rd judge module.

Described the 6th generation module comprises: the first generation unit, the second ciphering unit, the second signature unit and the second processing unit;

Described the first generation unit, for according to the time factor of described authenticating device, described preset algorithm and random number, generates the first plaintext dynamic password;

Described the second ciphering unit, is encrypted for described the first plaintext dynamic password described the first generation unit being generated according to authentication center's PKI, obtains the first ciphertext dynamic password;

Described the second signature unit, signs for using authenticating device private key to encrypt to described the second ciphering unit described the first ciphertext dynamic password obtaining, and obtains the second signature value;

Described the second processing unit, described the second signature value obtaining for encrypt described the first ciphertext dynamic password obtain and described the second signature unit according to described the second ciphering unit, obtains described the first dynamic password;

Described authentication center also comprises: the second sign test module, the 7th generation module and the 7th judge module;

Described the second sign test module, carries out sign test for described the first dynamic password described the second receiver module being received according to described authenticating device PKI, judges whether sign test success;

Described the 7th generation module, for after described the second sign test module judgement sign test success, according to described authenticating device sequence number, search corresponding random number, according to the time factor in described random number, described authentication center and preset algorithm, generate second plaintext dynamic password, according to authentication center's private key, the first ciphertext dynamic password in described the first dynamic password is decrypted, obtains the first plaintext dynamic password;

Described the second sending module also, for after described the second sign test module judgement sign test failure, returns to error code to described client;

Described the 7th judge module, for judge that described the 7th generation module obtains first expressly whether dynamic password consistent with described second plaintext dynamic password;

Described the second sending module also at described the 7th judge module, judge that described the 7th generation module obtains first expressly dynamic password consistent with described second plaintext dynamic password after, to client, send authentication success message, at described the 7th judge module, judge that described the 7th generation module obtains first expressly dynamic password and described second plaintext dynamic password inconsistent after, to described client, return to error code.

Described the second processing unit is specifically for carrying out base64 coding to described the first ciphertext dynamic password, obtain three-character doctrine data, described the second signature value is carried out to base64 coding, obtain the 4th character data, described three-character doctrine data and described the 4th character data are carried out combined and spliced, obtain described the first dynamic password;

Described the second sign test module, specifically for described the first dynamic password is split, obtain three-character doctrine data and the 4th character data, the three-character doctrine data that obtain are carried out to base64 decoding, obtain the first ciphertext dynamic password, the 4th character data obtaining is carried out to base64 decoding, obtain the second signature value, according to authenticating device PKI the second signature value that decoding obtains to base64, carry out computing, obtain the second verification msg, judge that whether described the second verification msg that computing obtains is consistent with the first ciphertext dynamic password that base64 decoding obtains, to determine sign test success, otherwise determine sign test failure.

Described authentication center also comprises removing module and the 8th judge module;

Described removing module, after judging that at described the second judge module described the first dynamic password is consistent with described the second dynamic password, removes described random number;

Described the 8th judge module, for judging whether to find random number;

Described the 5th generation module, finds after random number for described the 8th judge module judgement, carries out work;

Described the second sending module does not also find after random number for described the 8th judge module judgement, to described client, returns to error code.

The present invention compared with prior art, has the following advantages:

The method and system of a kind of secure log provided by the invention, authentication center issues the expressly sensitive information of form to client, to authenticating device, send the sensitive information after ciphering signature, client and authenticating device show respectively sensitive information, user confirms that rear authenticating device produces dynamic password, to authentication center, return to dynamic password, authentication center authenticates user's identity according to the dynamic password receiving, thereby realizes secure log.

Accompanying drawing explanation

Fig. 1 is the flow chart of the method for a kind of secure log of providing of the embodiment of the present invention 1;

Fig. 2 and Fig. 3 are the flow charts of the method for a kind of secure log of providing of the embodiment of the present invention 2;

Fig. 4 is the module map of the system of a kind of secure log of providing of the embodiment of the present invention 3.

Embodiment

Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is clearly and completely described, obviously, described embodiment is only the present invention's part embodiment, rather than whole embodiment.Embodiment based in the present invention, those of ordinary skills, not making the every other embodiment obtaining under creative work prerequisite, belong to the scope of protection of the invention.

This method is applied to comprise in the system of authenticating device, client and authentication center.

Embodiment 1

Embodiments of the invention 1 provide a kind of method of secure log, as shown in Figure 1, comprising:

Step S1: when client detects after trigger message, client is obtained authenticating device sequence number and the first sensitive information sign of authenticating device, according to authenticating device sequence number and the first sensitive information sign generation sensitive information, issue request, to authentication center, send sensitive information and issue request;

Step S2: authentication center issues the first sensitive information sign in request according to sensitive information, search the first corresponding sensitive information, and search the second sensitive information in described authentication center, generate random number, random number and sensitive information are issued to the authenticating device sequence number corresponding stored in request, according to the first sensitive information, the second sensitive information and random number, generate the first reply data, according to the first reply data and the second sensitive information, generate response message, to client, send response message;

Step S3: client, according to response message, obtains the first reply data and the second sensitive information, and the first reply data obtaining is sent to authenticating device;

Step S4: authenticating device, according to the first reply data receiving, obtains the first sensitive information, the second sensitive information and random number, and the first sensitive information obtaining is shown;

Step S5: after authenticating device detects button and is triggered, the type of authenticating device judgement button, if the first button returns to client the second sensitive information obtaining from the first reply data, execution step S7, if the second button returns to error code to client, execution step S6;

Step S6: the error code that client authenticating device sends, according to error code, show login failure information, finish;

Step S7: whether the second sensitive information that client judgement receives is consistent with the second sensitive information obtaining according to response message, is to authenticating device, to send login instruction, execution step S8, otherwise show login failure information, finish;

Step S8: authenticating device, according to the time factor in authenticating device, preset algorithm and the random number that obtains from the first reply data, generates the first dynamic password, sends the first dynamic password and authenticating device sequence number to client;

Step S9: client sends the first dynamic password and authenticating device sequence number to authentication center;

Step S10: corresponding random number is searched according to authenticating device sequence number by authentication center, according to the time factor in the random number finding, authentication center and preset algorithm, generate the second dynamic password, judge that whether the first dynamic password is consistent with the second dynamic password, to client, to send authentication success message, finish, otherwise return to error code to client, execution step S11;

Step S11: the error code that client authentication center sends, according to error code, show login failure information, finish.

Embodiment 2

Embodiments of the invention 2 provide a kind of method of secure log, as shown in Figures 2 and 3, comprising:

Step 101: when client detects after trigger message, client is obtained authenticating device sequence number and the first sensitive information sign of authenticating device, according to authenticating device sequence number and the first sensitive information sign generation sensitive information, issue request, to authentication center, send sensitive information and issue request;

Particularly, the method for obtaining the authenticating device sequence number of authenticating device and the first sensitive information sign can be: client sends and obtains instruction to authenticating device, receives authenticating device sequence number and the first sensitive information sign that authenticating device returns; In addition, can also be: the user profile of client user input, identifies at authenticating device sequence number corresponding to client internal searching and the first sensitive information according to user profile;

For example, authenticating device sequence number is " 1000313600001 ", and the first sensitive information is designated " icbc ";

Step 102: authentication center receives sensitive information and issues request, issues request according to the sensitive information receiving, and judges that whether authenticating device is legal, is to perform step 104, otherwise returns to error code to client, execution step 103;

Particularly, authentication center issues the authenticating device sequence number in request according to sensitive information, search state and the authenticating device PKI of corresponding authenticating device, if according to the state of the authenticating device finding, judge this authenticating device can with and authenticating device PKI while existing, determine that authenticating device is legal, otherwise determine that authenticating device is illegal;

Step 103: the error code that client authentication center sends, according to error code, show login failure information, finish;

Step 104: authentication center issues the first sensitive information sign in request according to sensitive information, searches the first corresponding sensitive information, and the second sensitive information is searched by Bing authentication center;

For example, the first sensitive information finding is " icbc95585 ", and the second sensitive information finding is " unionpay ";

Step 105: authentication center generates random number, random number and authenticating device sequence number corresponding stored by generating, generate the first reply data according to the first sensitive information, the second sensitive information and random number;

Particularly, authentication center issues the authenticating device sequence number in request according to sensitive information, in authentication center, search corresponding authenticating device PKI, authentication center splices and combines the first sensitive information, the second sensitive information and random number, obtain the first data, according to the authenticating device PKI finding, the first data are encrypted, obtain the first enciphered data, use authentication center's private key to sign to the first enciphered data, obtain the first signature value, according to the first enciphered data and the first signature value, obtain the first reply data; Wherein, according to the first enciphered data and the first signature value, obtain the first reply data, be specially: authentication center carries out base64 coding to the first enciphered data, obtain the first character data, the first signature value is carried out to base64 coding, obtain the second character data, the first character data obtaining and the second character data are carried out combined and spliced, generate the first reply data;

For example, the random number that authentication center generates is " 12345678 ", authenticating device sequence number " 1000313600001 ";

Authentication center generates the first reply data and specifically comprises:

Authentication center splices and combines the first sensitive information, the second sensitive information and random number, obtains the first data to be:

icbc95585[#*#]unionpay[#*#]12345678

Authentication center is first encrypted the first data according to authenticating device PKI, obtains the first enciphered data and is:

[22，-85，7，21，-114，69，-34，-89，68，-117，-110，-22，-71，99，79，114，18，-21，7，-73，78，116，-82，109，-56，-50，-87，-57，-111，-118，-52，-84，77，-116，71，60，-23，-47，42，-88，81，2，63，-66，-109，86，79，38，26，69，9，38，-43，-45，-40，-73，-15，2，87，-50，-7，33，102，-12，80，67，13，-7，96，23，-103，1，-121，71，8，96，65，31，-71，58，43，-92，83，-28，123，72，-29，80，-113，14，92，-88，40，109，108，-85，-96，19，-27，-65，30，-73，118，-122，-32，18，3，-101，-66，-58，-43，-6，-124，111，-109，-30，-49，9，-27，-94，41，122，-99，-73，-18，115，31，-35]

Authentication center carries out base64 coding to the first enciphered data, obtains the first character data to be:

FqsHFY5F3qdEi5LquWNPchLrB7dOdK5tyM6px5GKzKxNjEc86dEqqFECP76TVk8m?GkUJJtXT2LfxAlfO+SFm9FBDDflgF5kBh0cIYEEfuTorpFPke0jjUI8OXKgobWyroBPl?vx63dobgEgObvsbV+oRvk+LPCeWiKXqdt+5zH90＝

Authentication center is used authentication center's private key to sign to the first enciphered data, obtains the first signature value and is:

[80，-14，105，46，-110，-89，-93，40，-75，67，-119，119，103，-49，-28，-2，-7，-112，25，-85，-118，99，3，87，8，-96，58，-74，-127，-15，8，-92，83，-127，72，0，-121，88，-110，101，-4，-13，63，24，119，74，-105，-110，-68，-1，69，-110，-16，-59，124，-45，67，21，-72，78，21，-56，-5，126，97，-3，-55，92，62，81，31，3，-83，-54，64，35，-100，-101，71，-126，-105，30，-82，-72，-103，102，56，2，29，35，-82，-104，-118，78，-77，-50，122，32，-72，52，50，38，34，-106，6，-57，53，-11，70，76，-12，22，-109，-66，-93，68，-76，4，-30，98，-48，4，-2，28，12，43，-55，36]

Authentication center carries out base64 coding to the first signature value, obtains the second character data to be:

UPJpLpKnoyi1Q4l3Z8/k/vmQGauKYwNXCKA6toHxCKRTgUgAh1iSZfzzPxh3SpeS?vP9FkvDFfNNDFbhOFcj7fmH9yVw+UR8DrcpAI5ybR4KXHq64mWY4Ah0jrpiKTrPOeiC4NDImIpYGxzX1Rkz0FpO+o0S0BOJi0AT+HAwrySQ＝

Authentication center carries out combined and spliced to the first character data and the second character data, generate the first reply data to be:

FqsHFY5F3qdEi5LquWNPchLrB7dOdK5tyM6px5GKzKxNjEc86dEqqFECP76TVk8m?GkUJJtXT2LfxAlfO+SFm9FBDDflgF5kBh0cIYEEfuTorpFPke0jjUI8OXKgobWyroBPl?vx63dobgEgObvsbV+oRvk+LPCeWiKXqdt+5zH90＝[#*#]UPJpLpKnoyi1Q4l3Z8/k/vm?QGauKYwNXCKA6toHxCKRTgUgAh1iSZfzzPxh3SpeSvP9FkvDFfNNDFbhOFcj7fmH9yVw+UR8DrcpAI5ybR4KXHq64mWY4Ah0jrpiKTrPOeiC4NDImIpYGxzX1Rkz0FpO+o0S0BOJ?i0AT+HAwrySQ＝

In addition, authentication center obtains the first reply data according to the first enciphered data and the first signature value, also can be: first according to authenticating device PKI, the first data are encrypted, obtain the first enciphered data, use authentication center's private key to sign to the first enciphered data, obtain the first signature value, to the first enciphered data and the first signature value, carry out combined and spliced, obtain the second data, authentication center carries out base64 coding to the second data again, obtains the first reply data;

Step 106: authentication center generates response message according to the first reply data and the second sensitive information, sends response message to client;

Particularly, authentication center carries out the first reply data and the second sensitive information combined and spliced, generates response message;

For example, authentication center according to the response message of the first reply data and the generation of the second sensitive information is:

FqsHFY5F3qdEi5LquWNPchLrB7dOdK5tyM6px5GKzKxNjEc86dEqqFECP76TVk8m?GkUJJtXT2LfxAlfO+SFm9FBDDflgF5kBh0cIYEEfuTorpFPke0jjUI8OXKgobWyroBPl?vx63dobgEgObvsbV+oRvk+LPCeWiKXqdt+5zH90＝[#*#]UPJpLpKnoyi1Q4l3Z8/k/vm?QGauKYwNXCKA6toHxCKRTgUgAh1iSZfzzPxh3SpeSvP9FkvDFfNNDFbhOFcj7fmH9yVw+UR8DrcpAI5ybR4KXHq64mWY4Ah0jrpiKTrPOeiC4NDImIpYGxzX1Rkz0FpO+o0S0BOJ?i0AT+HAwrySQ＝[#*#]unionpay

Step 107: client response message, according to the response message receiving, obtain the first reply data and the second sensitive information, show the second sensitive information, to authenticating device, send the first reply data;

Particularly, client splits the response message receiving, and obtains the first reply data and the second sensitive information;

For example, client to response message be:

The first reply data that fractionation obtains is:

The second sensitive information that fractionation obtains is: unionpay; Client shows the second sensitive information " unionpay ";

Step 108: authenticating device receives the first reply data, carries out sign test according to default authentication center's PKI to the first reply data, judges whether sign test success, is to perform step 110, otherwise returns to error code to client, execution step 109;

Particularly, authenticating device obtains the first enciphered data and the first signature value in the first reply data, signs name-value pair the first reply data carry out sign test according to the first enciphered data and first;

For example, authenticating device carries out base64 decoding to the first character data in the first reply data, obtain the first enciphered data, authenticating device carries out base64 decoding to the second character data in the first reply data, obtain the first signature value, authenticating device the first enciphered data that decoding obtains according to base64 and first is signed name-value pair the first reply data and is carried out sign test;

Authenticating device carries out base64 decoding to the first character data in the first reply data, obtains the first enciphered data to be:

Authenticating device carries out base64 decoding to the second character data in the first reply data, obtains the first signature value to be:

Authenticating device carries out computing according to authentication center's PKI the first signature value that decoding obtains to base64, obtain first verification data, judging that whether the first verification data that computing obtains is consistent with the first enciphered data that base64 decoding obtains, is to determine sign test success, otherwise determines sign test failure;

In addition, authenticating device also can: the first reply data is carried out to base64 decoding, obtain the second data, first in the first enciphered data in the second data that authenticating device obtains according to deciphering and the second data are signed name-value pair the first reply data and are carried out sign test;

Step 109: the error code that client authenticating device sends, according to error code, show login failure information, finish;

Step 110: authenticating device obtains the first sensitive information, the second sensitive information and random number according to the first reply data;

Particularly, authenticating device is decrypted the first enciphered data in the first reply data according to authenticating device private key, obtains the first sensitive information, the second sensitive information and random number;

For example, authenticating device is decrypted the first enciphered data in the first reply data according to authenticating device private key, obtains the first data and is:

icbc95585[#*#]unionpay[#*#]12345678

Authenticating device splits the first data, and the first sensitive information obtaining is " icbc95585 ", and the second sensitive information is " unionpay ", and random number is " 12345678 ";

Step 111: authenticating device shows the first sensitive information;

For example, authenticating device shows the first sensitive information " icbc95585 ";

Step 112: after authenticating device detects button and is triggered, the type of authenticating device judgement button, if the first button performs step 114, if the second button returns to error code to client, execution step 113;

Preferably, in the present embodiment, the first button is acknowledgement key, and the second button is cancel key;

Step 113: the error code that client authenticating device sends, according to error code, show login failure information, finish;

Step 114: authenticating device shows the second sensitive information, returns to the second sensitive information to client;

For example, authenticating device shows the second sensitive information " unionpay ";

Step 115: the second sensitive information that client authenticating device sends, whether the second sensitive information that judgement receives is consistent with the second sensitive information obtaining according to response message, is to perform step 116, otherwise shows login failure information, finishes;

For example, in this enforcement, the second sensitive information that client obtains according to response message is " unionpay ", and the second sensitive information that client arrives is also " unionpay ", and the second sensitive information receiving is consistent with the second sensitive information obtaining according to response message;

Step 116: client judges according to authenticating device sequence number whether authenticating device is bound with user, is to perform step 118, otherwise execution step 117;

Particularly, client judges whether can be in client internal searching to the user profile corresponding with authenticating device sequence number, be determine authenticating device with user's binding, otherwise determine that authenticating device do not bind with user; This step judgement authenticating device with user's binding after, also comprise that client obtains the user profile corresponding with authenticating device;

Step 117: Client-Prompt user register, receives the user profile that user inputs, and according to the user profile receiving, user and authenticating device is bound to execution step 118;

Particularly, client is stored the user profile receiving with authenticating device sequence number is corresponding, complete binding;

Step 118: client sends login instruction to authenticating device;

Step 119: authenticating device receives login instruction, and whether prompting user logins;

Step 120: after authenticating device detects button and is triggered, the type of authenticating device judgement button, if the first button performs step 122, if the second button returns to error code to client, execution step 121;

Step 121: the error code that client authenticating device sends, according to error code, show login failure information, finish;

Step 122: authenticating device, according to the random number, the time factor in authenticating device and the preset algorithm that obtain from the first reply data, generates the first dynamic password, sends the first dynamic password and authenticating device sequence number to client;

For example, the random number obtaining from the first reply data is " 12345678 ", and the first dynamic password producing according to the random number obtaining from the first reply data, time factor in authenticating device and preset algorithm is " 654321 ";

In the present embodiment, the process that authenticating device produces the first dynamic password according to random number and preset algorithm can be placed in any one step in step 110, step 111, step 114, step 119 and step 122;

In addition, authenticating device produces the method for the first dynamic password and can also be:

Step 122-1: authenticating device, according to the random number, the time factor in authenticating device and the preset algorithm that obtain from the first reply data, generates the first plaintext dynamic password;

For example, the random number obtaining from the first reply data is 12345678, and the first plaintext dynamic password of generation is: 654321;

Step 122-2: authenticating device is used authentication center's PKI to be encrypted the first plaintext dynamic password, obtains the first ciphertext dynamic password;

For example, the first ciphertext dynamic password is:

[38，-90，-125，-5，111，-113，87，-48，-104，120，105，30，23，70，-9，93，-128，55，25，91，-53，-93，-83，-1，89，107，-12，69，-61，-100，-61，-22，35，49，79，-66，79，-125，19，57，63，95，-44，61，127，19，-4，91，103，-32，-86，62，78，48，56，-10，126，-34，114，-49，-63，4，-107，26，-38，-116，51，113，-117，48，61，38，109，-101，26，-25，62，14，-102，115，105，22，-25，-20，50，-2，16，-35，-34，82，66，67，127，-59，62，-89，97，62，54，24，88，2，-47，22，97，-87，-103，-32，-82，-126，60，-116，-125，-120，125，125，74，85，-44，-52，-52，102，102，-12，-106，-30，25，-23]

Step 122-3: authenticating device is signed to the first ciphertext dynamic password according to authenticating device private key, obtains the second signature value;

For example, the second signature value is:

[64，105，108，61，68，-80，64，-1，-12，-7，10，73，93，-67，29，85，112，-54，-50，107，-101，-125，70，-48，-64，-123，-45，45，35，-53，-34，112，-67，-128，-127，67，49，47，51，84，114，-83，-72，-68，-6，-34，-97，-83，-108，39，74，55，-66，66，59，-77，-27，-118，42，-56，95，-86，47，95，49，-45，-45，24，-117，74，13，-91，119，67，-107，-114，-60，-34，-1，20，94，-115，113，-124，82，40，-111，50，-71，62，-95，-36，19，111，-125，83，-64，-38，50，20，36，20，-120，-127，58，2，16，-128，48，-3，-113，64，-81，113，-115，75，-77，-68，-40，-109，126，84，26，11，37，58，110，127]

Step 122-4: authenticating device, according to the first ciphertext dynamic password and the second signature value, obtains the first dynamic password;

Particularly, authenticating device carries out base64 coding to the first ciphertext dynamic password, obtains three-character doctrine data, the second signature value is carried out to base64 coding, obtain the 4th character data, three-character doctrine data and the 4th character data are carried out combined and spliced, obtain the first dynamic password;

For example, authenticating device, according to the first ciphertext dynamic password and the second signature value, obtains the first dynamic password, comprising:

Authenticating device carries out base64 coding to the first ciphertext dynamic password, obtains three-character doctrine data and is:

fPhTri05/nXaJ4z3B7vzdGGoZ//+1nrddNXVHmTtAyPSmb/9z+P24CTUc3JygoHQ?ucd6AfUqz8m+zK0Z9BpzKACnJ/OhPj4J9yX8oKDFW5pjuPt8kdEuq8IZyzrsnc0gPyOS?+1HBQXL0j++V504MPI11GGf1fsaV8D9JfVd/wgNu＝

Authenticating device carries out base64 coding to the second signature value, obtains the 4th character data to be:

QGlsPUSwQP/0+QpJXb0dVXDKzmubg0bQwIXTLSPL3nC9gIFDMS8zVHKtuLz63p+t?lCdKN75CO7PliirIX6ovXzHT0xiLSg2ld0OVjsTe/xRejXGEUiiRMrk+odwTb4NTwNoy?FCQUiIE6AhCAMP2PQK9xjUuzvNiTflQaCyU6bn8＝

Authenticating device carries out combined and spliced to three-character doctrine data and the 4th character data, obtain the first dynamic password and be:

fPhTri05/nXaJ4z3B7vzdGGoZ//+1nrddNXVHmTtAyPSmb/9z+P24CTUc3JygoHQ?ucd6AfUqz8m+zK0Z9BpzKACnJ/OhPj4J9yX8oKDFW5pjuPt8kdEuq8IZyzrsnc0gPyOS+1HBQXL0j++V504MPI11GGf1fsaV8D9JfVd/wgNu＝[#*#]QGlsPUSwQP/0+QpJXb0dVX?DKzmubg0bQwIXTLSPL3nC9gIFDMS8zVHKtuLz63p+tlCdKN75CO7PliirIX6ovXzHT0x?iLSg2ld0OVjsTe/xRejXGEUiiRMrk+odwTb4NTwNoyFCQUiIE6AhCAMP2PQK9xjUuzvN?iTflQaCyU6bn8＝

Step 123: client the first dynamic password and authenticating device sequence number, according to user profile, judge that whether user is legal, be to perform step 124, otherwise show login failure information, finish;

Be specially, client is searched corresponding User Status according to user profile, judges that whether User Status is abnormal, be to determine that user is illegal, otherwise user is legal;

Step 124: client sends the first dynamic password and authenticating device sequence number to authentication center;

For example, the first dynamic password is " 654321 ", and authenticating device sequence number is " 1000313600001 ";

Step 125: authentication center receives the first dynamic password and authenticating device sequence number, searches corresponding random number according to authenticating device sequence number, judges whether to find random number, is to perform step 126, otherwise returns to error code to client, execution step 127;

In the present embodiment, before this step, also comprise:

Authentication center receives the first dynamic password and authenticating device sequence number, according to authenticating device PKI, the first dynamic password is carried out to sign test, judges whether sign test success, is to perform step 125, otherwise returns to error code to client, execution step 127;

Particularly, authentication center splits the first dynamic password, obtain three-character doctrine data and the 4th character data, the three-character doctrine data that obtain are carried out to base64 decoding, obtain the first ciphertext dynamic password, the 4th character data obtaining is carried out to base64 decoding, obtain the second signature value, according to authenticating device PKI the second signature value that decoding obtains to base64, carry out computing, obtain the second verification msg, judge that whether the second verification msg that computing obtains is consistent with the first ciphertext dynamic password that base64 decoding obtains, to determine sign test success, otherwise determine sign test failure.

For example, the first dynamic password that authentication center receives is:

fPhTri05/nXaJ4z3B7vzdGGoZ//+1nrddNXVHmTtAyPSmb/9z+P24CTUc3JygoHQ?ucd6AfUqz8m+zK0Z9BpzKACnJ/OhPj4J9yX8oKDFW5pjuPt8kdEuq8IZyzrsnc0gPyOS?+1HBQXL0j++V504MPI11GGf1fsaV8D9JfVd/wgNu＝[#*#]QGlsPUSwQP/0+QpJXb0dVX?DKzmubg0bQwIXTLSPL3nC9gIFDMS8zVHKtuLz63p+tlCdKN75CO7PliirIX6ovXzHT0x?iLSg2ld0OVjsTe/xRejXGEUiiRMrk+odwTb4NTwNoyFCQUiIE6AhCAMP2PQK9xjUuzvN?iTflQaCyU6bn8＝

Authentication center splits the first dynamic password, obtains three-character doctrine data and the 4th character data, is respectively: three-character doctrine data are:

The 4th character data is:

Authentication center carries out base64 decoding to three-character doctrine data, obtains the first ciphertext dynamic password to be:

Authentication center carries out base64 decoding to the 4th character data, obtains the second signature value to be:

Authentication center carries out computing according to authenticating device PKI the second signature value that decoding obtains to base64, obtain the second verification msg, judge that whether the second verification msg that computing obtains is consistent with the first ciphertext dynamic password that base64 decoding obtains, be to determine sign test success, otherwise determine sign test failure;

Step 126: authentication center is according to the random number, the time factor in authentication center and the preset algorithm that find, generate the second dynamic password, whether the first dynamic password that judgement receives is consistent with the second dynamic password of generation, to client, to send authentication success message, finish, otherwise to client, return to error code, execution step 127;

Particularly, after the first dynamic password that this step judgement receives is consistent with the second dynamic password of generation, also comprise: authentication center removes the random number generating;

For example, the corresponding random number that authentication center finds according to authenticating device sequence number " 1000313600001 " is " 12345678 ", according to the second dynamic password of the time factor in the random number finding, authentication center and preset algorithm generation, be " 654321 ", because the second dynamic password generating is consistent with the first dynamic password receiving, authentication success;

In addition, step 126 comprises:

Step 126-1: authentication center generates second plaintext dynamic password according to the random number finding, the time factor in authentication center and preset algorithm, according to authentication center's private key, the first ciphertext dynamic password in the first dynamic password is decrypted, obtains the first plaintext dynamic password;

For example, it is 12345678 that corresponding random number is searched according to authenticating device sequence number by authentication center, is: 654321 according to the time factor in random number, authentication center and preset algorithm generation second plaintext dynamic password; Use authentication center private key is decrypted the first ciphertext dynamic password in the first dynamic password, obtains the first plaintext dynamic password to be: 654321;

Step 126-2: whether the first plaintext dynamic password that authentication center's judgement deciphering obtains and the second plaintext dynamic password of generation be consistent, is to send authentication success message to client, finishes, otherwise return to error code to client, execution step 127;

Particularly, after the first plaintext dynamic password that this step judgement judgement deciphering obtains and the second plaintext dynamic password of generation are consistent, also comprise: authentication center removes the random number generating;

Step 127: the error code that client authentication center sends, according to error code, show login failure information, finish;

The method of a kind of secure log providing in the present embodiment, authentication center issues the expressly sensitive information of form to client, to authenticating device, send the sensitive information after ciphering signature, client and authenticating device show respectively sensitive information, user confirms that rear authenticating device produces dynamic password, to authentication center, return to dynamic password, authentication center authenticates user's identity according to the dynamic password receiving, thereby realizes secure log.

Embodiment 3

Embodiments of the invention 3 provide a kind of system of secure log, as shown in Figure 4, comprising: client, authentication center and authenticating device;

Client comprises: first detection module 201, the first acquisition module 202, the first generation module 203, the first sending module 204, the first receiver module 205, the first processing module 206, the first display module 207 and the first judge module 208;

First detection module 201, for detection of whether there being trigger message;

The first acquisition module 202, for detecting after trigger message when first detection module 201, obtains authenticating device sequence number and the first sensitive information sign of authenticating device;

The first generation module 203, issues request for authenticating device sequence number and the first sensitive information sign generation sensitive information getting according to the first acquisition module 202;

The first sending module 204, issues request for send the sensitive information of the first generation module 203 generations to authentication center; To authenticating device, send the first reply data that the first processing module 206 obtains; The second sensitive information that the second sensitive information receiving when first judge module 208 judgement the first receiver modules 205 obtains with the first processing module 206 when consistent, send and logins instruction to authenticating device; When the first receiver module 205 receives after first dynamic password and authenticating device sequence number of authenticating device transmission, to authentication center, send the first dynamic password and authenticating device sequence number;

The first receiver module 205, the response message sending for receiving authentication center, receive the error code that authenticating device sends, receive the second sensitive information that authenticating device sends, receive the first dynamic password and authenticating device sequence number that authenticating device sends, receive the authentication success message that authentication center sends, receive the error code that authentication center sends;

The first processing module 206, for the response message receiving according to the first receiver module 205, obtains the first reply data and the second sensitive information;

The first display module 207, for the error code receiving according to the first receiver module 205, show login failure information, the second sensitive information that the second sensitive information receiving when first judge module 208 judgement the first receiver modules 205 and the first processing module 206 obtain is when inconsistent, demonstration login failure information;

The first judge module 208, whether consistent with the second sensitive information that the first processing module 206 obtains for judging the second sensitive information that the first receiver module 205 receives;

Authentication center comprises: the second receiver module 301, first is searched module 302, the second generation module 303, the 3rd generation module 304, the 4th generation module 305, the second sending module 306, second and searched module 307, the 5th generation module 308 and the second judge module 309;

The second receiver module 301, issues request for receiving the sensitive information of client transmission, receives the first dynamic password and authenticating device sequence number that client sends;

First searches module 302, issues the first sensitive information sign of request for the sensitive information receiving according to the second receiver module 301, searches the first corresponding sensitive information, and searches the second sensitive information in described authentication center;

The second generation module 303, for generating random number, the sensitive information that random number and the second receiver module 301 are received issues the authenticating device sequence number corresponding stored in request;

The 3rd generation module 304, for searching the random number that the first sensitive information, the second sensitive information and the second generation module 303 that module 302 finds generate according to first, generates the first reply data;

The 4th generation module 305, searches for the first reply data and first generating according to the 3rd generation module 304 the second sensitive information that module 302 finds, and generates response message;

The second sending module 306, the response message generating for send the 4th generation module 305 to client, the second dynamic password of the first dynamic password receiving when second judge module 309 judgement the second receiver modules 301 and the 5th generation module 308 generations is when consistent, to client, send authentication success message, the second dynamic password of the first dynamic password receiving when second judge module 309 judgement the second receiver modules 301 and the 5th generation module 308 generations when inconsistent, returns to error code to client;

Second searches module 307, for the authenticating device sequence number receiving according to the second receiver module 301, searches corresponding random number;

The 5th generation module 308, for searching the random number that module 307 finds, time factor and the preset algorithm of authentication center according to second, generates the second dynamic password;

The second judge module 309, whether consistent with the second dynamic password that the 5th generation module 308 generates for judging the first dynamic password that the second receiver module 301 receives;

Authenticating device comprises: the 3rd receiver module 401, the second processing module 402, the second display module 403, the second detection module 404, the 3rd judge module 405, the 3rd sending module 406 and the 6th generation module 407;

The 3rd receiver module 401, the first reply data sending for receiving client, receives the login instruction that client sends;

The second processing module 402, the first reply data for receiving according to the 3rd receiver module 401, obtains the first sensitive information, the second sensitive information and random number;

The second display module 403, shows for the first sensitive information that the second processing module 402 is obtained;

Whether the second detection module 404, for when 403 pairs of the first sensitive informations of the second display module show, detect button and be triggered;

The 3rd judge module 405, for after button being detected when the second detection module 404 and being triggered, the type of judgement button;

The 3rd sending module 406, the first dynamic password generating for send the 6th generation module 407 to client, when the 3rd judge module 405 judgement buttons are the first button, to client, return to the second sensitive information that the second processing module 402 obtains, when the 3rd judge module 405 judgement buttons are the second button, to client, return to error code;

The 6th generation module 407, for receiving when the 3rd receiver module 401 after login instruction, the random number obtaining according to the time factor in authenticating device, preset algorithm and the second processing module 402, generates the first dynamic password.

The first sending module 204 is also for sending and obtain instruction to authenticating device;

Authenticating device sequence number and the first sensitive information sign that the first receiver module 205 also returns for receiving authenticating device.

The first receiver module 205 is also for receiving the user profile of user's input;

The user profile of the first acquisition module 202 specifically for receiving according to the first receiver module 205, in authenticating device sequence number corresponding to client internal searching and the first sensitive information sign.

Authentication center also comprises: the 4th judge module, for the sensitive information receiving according to the second receiver module 301, issue request, and judge that whether authenticating device is legal;

First searches module 302, also, for after the 4th judge module judgement authenticating device is legal, carries out work;

The second sending module 306, also, for after the 4th judge module judgement authenticating device is illegal, returns to error code to client.

The 4th judge module issues the authenticating device sequence number in request specifically for the sensitive information receiving according to the second receiver module 301, search state and the authenticating device PKI of corresponding authenticating device, if according to the state of the authenticating device finding, judgement authenticating device can be used and authenticating device PKI exists, determine that authenticating device is legal, otherwise determine that authenticating device is illegal.

The 3rd generation module 304, comprising: first searches unit, the first assembled unit, the first ciphering unit, the first signature unit and the first processing unit;

First searches unit, for issue the authenticating device sequence number of request according to sensitive information, in authentication center, searches corresponding authenticating device PKI;

The first assembled unit, for the first sensitive information, the second sensitive information and random number are spliced and combined, obtains the first data;

The first ciphering unit, is encrypted the first data for searching according to first the authenticating device PKI that unit finds, and obtains the first enciphered data;

The first signature unit, for using authentication center's private key to sign to the first enciphered data, obtains the first signature value;

The first processing unit, for obtaining the first reply data according to the first enciphered data and the first signature value;

Authenticating device also comprises the first sign test module; The first sign test module, for according to authentication center's PKI of storage, the first reply data that the 3rd receiver module 401 is received carries out sign test, judges whether sign test success;

The second processing module 402 also, for after the first sign test module judgement sign test success, is carried out work;

The 3rd sending module 406 also, for after the first sign test module judgement sign test failure, returns to error code to client;

The second processing module 402, specifically for the first enciphered data in the first reply data the 3rd receiver module 401 being received according to authenticating device private key, be decrypted, obtain the first data, the first data that obtain are split, obtain the first sensitive information, the second sensitive information and random number.

The first processing unit is specifically for carrying out base64 coding to the first enciphered data, obtain the first character data, the first enciphered data is carried out to base64 coding, obtain the second character data, the first character data and the second character data are carried out combined and spliced, generate the first reply data;

The first sign test module is carried out base64 decoding specifically for the first character data in the first reply data that the 3rd receiver module 401 is received, obtain the first enciphered data, the second character data in the first reply data is carried out to base64 decoding, obtain the first signature value, the first enciphered data that decoding obtains according to base64 and first is signed name-value pair the first reply data and is carried out sign test.

The first processing unit is combined and spliced specifically for the first enciphered data and the first signature value are carried out, and obtains the second data, and the second data are carried out to base64 coding, obtains the first reply data;

The first sign test module is carried out base64 decoding specifically for the first reply data that the 3rd receiver module 401 is received, obtain the second data, the first enciphered data in the second data that decoding obtains according to base64 and first is signed name-value pair the first reply data and is carried out sign test.

The first sign test module, specifically for according to authentication center's PKI, the first signature value being carried out to computing, obtain first verification data, judge that whether the first verification data that computing obtains is consistent with the first enciphered data that base64 decoding obtains, be to determine sign test success, otherwise determine sign test failure.

The 4th generation module 305, combined and spliced specifically for the first reply data and the second sensitive information are carried out, generate response message;

The first processing module 206, specifically for response message is split, obtains the first reply data and the second sensitive information.

The first display module 207 is the second sensitive information for showing that the first processing module 206 processing obtain also;

The second display module 403 is the second sensitive information for showing that the second processing module 402 obtains also.

Client also comprises: the 5th judge module and Registering modules;

The 5th judge module, the second sensitive information obtaining with the first processing module 206 for the second sensitive information receiving at first judge module 208 judgement the first receiver modules 205 when consistent, judges according to authenticating device sequence number whether authenticating device is bound with user;

Registering modules, after not binding with user when the 5th judge module judgement authenticating device, prompting user registers, and receives the user profile of user's input, according to the user profile receiving, user and authenticating device is bound;

The first sending module 204, after completing, sends login instruction to authenticating device specifically for Registering modules work, after the 5th judge module judgement authenticating device has been bound with user, to authenticating device, sends login instruction.

The 5th judge module is specifically for judge whether can be in client internal searching to the user profile corresponding with authenticating device sequence number, be determine authenticating device with user's binding, otherwise determine that authenticating device do not bind with user.

Registering modules is registered specifically for prompting user, receives the user profile of user's input, and the user profile receiving is stored with authenticating device sequence number is corresponding, completes binding.

Client also comprises: the second acquisition module and the 6th judge module;

The second acquisition module, the second sensitive information that the second sensitive information receiving for first judge module 208 judgement the first receiver modules 205 obtains with the first processing module 206 when consistent, obtains the user profile corresponding with authenticating device;

The 6th judge module, judges that for the user profile getting according to the second acquisition module whether user is legal;

The first sending module 204 also, for after the 6th judge module judgement user is legal, sends the first dynamic password and authenticating device sequence number to authentication center;

The first display module 207 also, for after the 6th judge module judgement user is illegal, shows login failure information.

The 6th judge module, specifically for search corresponding User Status according to user profile, judges that whether User Status is abnormal, is to determine that user is illegal, otherwise determines that user is legal.

The second display module 403, also, for receiving at the 3rd receiver module 401 after login instruction, whether prompting user logins;

Whether whether the second detection module 404, also, for after logining the second display module 403 prompting users, detect button and be triggered;

The 3rd judge module 405, after button being detected and be triggered for the second detection module 404, the type of judgement button;

The 6th generation module 407 carries out work after also judging the first button and be triggered for the 3rd judge module 405;

The 3rd sending module 406 returns to error code to client after also judging the second button and be triggered for the 3rd judge module 405.

The 6th generation module 407 comprises: the first generation unit, the second ciphering unit, the second signature unit and the second processing unit;

The first generation unit, for according to the time factor of authenticating device, preset algorithm and random number, generates the first plaintext dynamic password;

The second ciphering unit, is encrypted for the first plaintext dynamic password the first generation unit being generated according to authentication center's PKI, obtains the first ciphertext dynamic password;

The second signature unit, signs for using authenticating device private key to encrypt to the second ciphering unit the first ciphertext dynamic password obtaining, and obtains the second signature value;

The second processing unit, the second signature value obtaining for encrypt the first ciphertext dynamic password obtain and the second signature unit according to the second ciphering unit, obtains the first dynamic password;

Authentication center also comprises: the second sign test module, the 7th generation module and the 7th judge module;

The second sign test module, carries out sign test for the first dynamic password the second receiver module 301 being received according to authenticating device PKI, judges whether sign test success;

The 7th generation module, for after the second sign test module judgement sign test success, according to authenticating device sequence number, search corresponding random number, according to the time factor in random number, authentication center and preset algorithm, generate second plaintext dynamic password, according to authentication center's private key, the first ciphertext dynamic password in the first dynamic password is decrypted, obtains the first plaintext dynamic password;

The second sending module 306 also, for after the second sign test module judgement sign test failure, returns to error code to client;

The 7th judge module, for judge that the 7th generation module obtains first expressly whether dynamic password consistent with second plaintext dynamic password;

The second sending module 306 also at the 7th judge module judgement the 7th generation module, obtain first expressly dynamic password consistent with second plaintext dynamic password after, to client, send authentication success message, after the first plaintext dynamic password obtaining at the 7th judge module judgement the 7th generation module and second plaintext dynamic password are inconsistent, to client, return to error code.

The second processing unit is specifically for carrying out base64 coding to the first ciphertext dynamic password, obtain three-character doctrine data, the second signature value is carried out to base64 coding, obtain the 4th character data, three-character doctrine data and the 4th character data are carried out combined and spliced, obtain the first dynamic password;

The second sign test module, specifically for the first dynamic password is split, obtain three-character doctrine data and the 4th character data, the three-character doctrine data that obtain are carried out to base64 decoding, obtain the first ciphertext dynamic password, the 4th character data obtaining is carried out to base64 decoding, obtain the second signature value, according to authenticating device PKI the second signature value that decoding obtains to base64, carry out computing, obtain the second verification msg, judge that whether the second verification msg that computing obtains is consistent with the first ciphertext dynamic password that base64 decoding obtains, to determine sign test success, otherwise determine sign test failure.

Authentication center also comprises removing module and the 8th judge module;

Remove module, for after second judge module 309 judgement the first dynamic passwords are consistent with the second dynamic password, remove random number;

The 8th judge module, for judging whether to find random number;

The 5th generation module 308, finds after random number for the 8th judge module judgement, carries out work;

The second sending module 306 does not also find after random number for the 8th judge module judgement, to client, returns to error code.

The above; be only the present invention's embodiment preferably, but protection scope of the present invention is not limited to this, is anyly familiar with those skilled in the art in technical scope disclosed by the invention; the variation that can expect easily or replacement, within all should being encompassed in protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the protection range of claim.

Claims

1. a method for secure log, is applied to comprise in the system of client, authentication center and authenticating device, and it is characterized in that, described method comprises:

2. method according to claim 1, it is characterized in that, described client is obtained authenticating device sequence number and the first sensitive information sign of described authenticating device, be specially: described client sends and obtains instruction to described authenticating device, receive authenticating device sequence number and the first sensitive information sign that described authenticating device returns.

3. method according to claim 1, it is characterized in that, described client is obtained authenticating device sequence number and the first sensitive information sign of described authenticating device, be specially: the user profile of described client user input, identifies at authenticating device sequence number corresponding to described client internal searching and the first sensitive information according to described user profile.

4. method according to claim 1, is characterized in that, before described step S2, comprises:

5. method according to claim 4, is characterized in that, described steps A 1 is specially:

6. method according to claim 1, is characterized in that, describedly according to described the first sensitive information, described the second sensitive information and described random number, generates the first reply data, is specially:

Before described step S4, also comprise:

7. method according to claim 6, is characterized in that, describedly according to described the first enciphered data and described the first signature value, obtains described the first reply data, is specially:

8. method according to claim 6, is characterized in that, describedly according to described the first enciphered data and described the first signature value, obtains described the first reply data, is specially:

9. according to the method described in claim 7 or 8, it is characterized in that, described the first reply data carried out to sign test, be specially:

10. method according to claim 1, is characterized in that, described according to described the first reply data and described the second sensitive information generation response message, is specially:

11. methods according to claim 1, is characterized in that, described step S3 also comprises: described client shows described the second sensitive information;

12. methods according to claim 1, is characterized in that, in described step S7, before described authenticating device sends login instruction, also comprise:

13. methods according to claim 12, is characterized in that, described client judges that according to described authenticating device sequence number whether described authenticating device is bound with user, is specially:

14. methods according to claim 12, it is characterized in that, the described user profile that described basis receives is bound described user and described authenticating device, be specially: described client, by the described user profile receiving and corresponding storage of described authenticating device sequence number, completes binding.

15. methods according to claim 1, is characterized in that, client described in described step S7 also comprises after judging that described the second sensitive information receiving is consistent with described the second sensitive information obtaining according to described response message:

16. methods according to claim 15, is characterized in that, described client judges that according to described user profile whether described user is legal, is specially:

17. methods according to claim 1, is characterized in that, before described step S8, also comprise:

18. methods according to claim 1, is characterized in that, described authenticating device, according to the time factor in described authenticating device, described preset algorithm and the random number that obtains from the first reply data, generates the first dynamic password, is specially:

Described step S10 is specially:

19. methods according to claim 18, is characterized in that, described authenticating device, according to described the first ciphertext dynamic password and described the second signature value, obtains described the first dynamic password, comprising:

20. methods according to claim 1, is characterized in that, after described the first dynamic password that the judgement of described authentication center receives is consistent with described second dynamic password of generation, also comprise: remove described random number;

Before generating the second dynamic password in described step S10, comprise:

The system of 21. 1 kinds of secure log, is characterized in that, described system comprises client, authentication center and authenticating device;

22. systems according to claim 21, is characterized in that, described the first sending module is also for sending and obtain instruction to described authenticating device;

23. systems according to claim 21, is characterized in that, described the first receiver module is also for receiving the user profile of user's input;

24. systems according to claim 21, is characterized in that, described authentication center also comprises: the 4th judge module, for the described sensitive information receiving according to described the second receiver module, issue request, and judge that whether described authenticating device is legal;

25. systems according to claim 24, it is characterized in that, described the 4th judge module issues the described authenticating device sequence number in request specifically for the described sensitive information receiving according to described the second receiver module, search state and the authenticating device PKI of corresponding authenticating device, if according to the state of the described authenticating device finding, judge that described authenticating device can be used and described authenticating device PKI exists, determine that described authenticating device is legal, otherwise determine that described authenticating device is illegal.

26. systems according to claim 21, is characterized in that, described the 3rd generation module, comprising: first searches unit, the first assembled unit, the first ciphering unit, the first signature unit and the first processing unit;

27. systems according to claim 26, it is characterized in that, described the first processing unit is specifically for carrying out base64 coding to described the first enciphered data, obtain the first character data, described the first enciphered data is carried out to base64 coding, obtain the second character data, described the first character data and described the second character data are carried out combined and spliced, generate described the first reply data;

28. systems according to claim 26, it is characterized in that, described the first processing unit is combined and spliced specifically for described the first enciphered data and described the first signature value are carried out, and obtains the second data, described the second data are carried out to base64 coding, obtain described the first reply data;

29. according to the system described in claim 27 or 28, it is characterized in that, described the first sign test module, specifically for the first signature value being carried out to computing according to authentication center's PKI, obtain first verification data, judging that whether the described first verification data that computing obtains is consistent with the first enciphered data that base64 decoding obtains, is to determine sign test success, otherwise determines sign test failure.

30. systems according to claim 21, is characterized in that, described the 4th generation module is combined and spliced specifically for described the first reply data and described the second sensitive information are carried out, and generates response message;

31. systems according to claim 21, is characterized in that, described the first display module is the second sensitive information for showing that described the first processing module processing obtains also;

32. systems according to claim 21, is characterized in that, described client also comprises: the 5th judge module and Registering modules;

Described Registering modules, after judging that when described the 5th judge module described authenticating device is not bound with user, point out described user to register, receive the user profile of described user's input, according to the described user profile receiving, described user and described authenticating device are bound;

33. systems according to claim 32, it is characterized in that, described the 5th judge module can arrive the user profile corresponding with described authenticating device sequence number in described client internal searching specifically for judging whether, be determine described authenticating device with described user binding, otherwise determine described authenticating device with described user's binding.

34. systems according to claim 32, it is characterized in that, described Registering modules, specifically for pointing out described user to register, receives the user profile of described user's input, by the described user profile receiving and corresponding storage of described authenticating device sequence number, complete binding.

35. systems according to claim 21, is characterized in that, described client also comprises: the second acquisition module and the 6th judge module;

36. systems according to claim 35, it is characterized in that, described the 6th judge module, specifically for searching corresponding User Status according to described user profile, judges that whether described User Status is abnormal, be to determine that described user is illegal, otherwise determine that described user is legal.

37. systems according to claim 21, is characterized in that, described the second display module, and also for receiving after described login instruction at described the 3rd receiver module, whether prompting user logins;

Whether whether described the second detection module, also, for after logining described the second display module prompting user, detect button and be triggered;

38. systems according to claim 21, is characterized in that, described the 6th generation module comprises: the first generation unit, the second ciphering unit, the second signature unit and the second processing unit;

39. according to the system described in claim 38, it is characterized in that, described the second processing unit is specifically for carrying out base64 coding to described the first ciphertext dynamic password, obtain three-character doctrine data, described the second signature value is carried out to base64 coding, obtain the 4th character data, described three-character doctrine data and described the 4th character data are carried out combined and spliced, obtain described the first dynamic password;

40. systems according to claim 21, is characterized in that, described authentication center also comprises removing module and the 8th judge module;

Described the 8th judge module, for judging whether to find random number;